Skip to main content

Installation On-Premises

IQ Server can be configured to run on multiple nodes with Active-Active Clustering to limit downtime. The architecture of this clustering model consists of more than two nodes that operate simultaneously.

The installation requirements and architecture for IQ Server described here are designed to protect your on-premise IQ Server installations from scenarios such as:

  1. Node/server failure within a data center

  2. IQ Server service failure

We have thoroughly tested and verified the functionality and performance of the Sonatype IQ Server with the named third-party tools, technologies, and platforms mentioned in this section. Using other equivalent technologies and platforms may not result in the exact same outcomes, and is not supported by Sonatype.

Requirements for HA installation on-premises

In addition to the general requirements, here are the specific requirements for high-availability on-premise deployments:

  1. A tool/utility to set up Kubernetes clusters

    1. example:Kops

  2. A tool/utility to customize Kubernetes objects

    1. example: Kustomize

  3. Bare metal/virtual machines to be configured as nodes

Reference Architecture

137207646.png

Steps to Implement the Reference Architecture

Refer to the README to review the implementation details.

Step 1 - Setting up the database

Set up a PostgreSQL database and ensure that the worker nodes within the Kubernetes cluster, can communicate with it. We recommend one that is also set up for high availability.

Step 2 - On-premises Kubernetes cluster

Set up a Kubernetes cluster consisting of at least 2 nodes, each running an instance of IQ Server.

Step 3 - Storage file system

IQ Server HA is designed to have access to a shared cluster directory to save scans and report files.

We recommend using an NFS Persistent Volume (PV) for the shared cluster directory with performance similar to that of Amazon EFS.

Step 4 - Kubernetes Namespace - optional

Create a separate Kubernetes namespace for IQ Server HA by using the kubectl tool:

kubectl create namespace <namespace>

Alternatively, you can use the default namespace.

Step 5 - Ingress Controller - optional

Install an Ingress Controller in your Kubernetes cluster and configure it to allow the automatic provisioning of resources. The Helm chart can install the ingress-ngnix controller by setting the ingress-enabled flag to true.

--set ingress-nginx.enabled=true

Step 6 - Install Helm Chart

Install the latest Helm chart from the IQ Server HA Helm chart repository, with the correct settings for the parameters.

Step 7 - Prepare the PostgreSQL Server

A user account needs to be provisioned for IQ Server to connect to the database.

Example:

CREATE USER sonatypeiq WITH PASSWORD 'the-secret-password';
CREATE DATABASE sonatypeiq WITH OWNER sonatypeiq ENCODING 'UTF8';

The above commands will create a user and database named "sonatypeiq", granting that user the needed privileges for IQ Server to function.

Ensure that the database encoding is set to UTF8 to ensure compatibility with the character set used by IQ Server.

Running your Kubernetes Cluster

Follow the steps in the latest README for running the Kubernetes cluster.

Overrides for Helm Chart

Customization or override of some settings in the Helm chart will be required, to match IQ Server HA deployment requirements.

Use a –set flag (or--set-file) to override the Helm chart settings as specified in the README.

Below is a list of Helm chart overrides (refer to README for implementation details):

  1. Database configuration

  2. Shared file system

    1. To share data between IQ Server pods, such as scans, reports, component details, advanced search index, etc.

  3. Load Balancer

    1. A load balancer must be configured to allow and route external requests to IQ Server pods.

  4. Transport Layer Security (TLS) certificate and key (optional)

  5. Unified logging layer - Fluentd

  6. IQ Server docker image version (as specified in the Helm chart)

  7. IQ Server configuration parameters (optional)